IE hole exposes local files

Microsoft(MSFT) moved to fix a security hole today in its Internet Explorer 4.0 Web browser that allows malicious Web sites to obtain content of a text, HTML, or image file from a user?s hard disk.

As first reported in the German computer magazine C't, the flaw exists in IE 4.0 for Windows 95 and NT.

The problem was originally discovered by Internet consultant Ralf Hueskes, who recently reviewed IE 4.0 for the German publication. He concluded that the security hole is not an error in code but has its reasoning in the concept of the program. It even exists when Microsoft's flagship browser's security options are set on the highest standard values, he told the German magazine.

According to Microsoft, the problem has not been reported by any users. The company insisted that users can implement the security zones feature in IE 4.0 to prevent the bug.

Microsoft will post a bug fix to its Web site, though, within the next 24 hours, the company added.

IE 4.0 product manager Kevin Unangst said the bug allows a malicious Web page that is intentionally designed to exploit this problem to access the contents from a text file, HTML file, or graphic image from a unsuspecting user's hard disk.

He pointed out that the Web page must be specifically designed to obtain certain files, "to the level of including the exact file name and location, and that file must be an HTML, text, or image file. Even if those conditions are met, the site cannot destroy or tamper with any data," he wrote.

However, German researcher Hueskes told C't magazine that even a corporate network secured by a firewall is vulnerable to attack.

The bug is based on dynamic HTML. The intruder hides a command with a reference to the wanted document in a mail or Web page. While the victim reads, the Microsoft browser or the mail client Outlook Express loads the referenced file into an invisible window. An additional hidden command then sends it to the hacker's server, according to Hueskes.

Although this represents a significant intrusion into the victim's Internet experience, the intruder can't change or delete the file, only read it.

C't editors quickly gave Microsoft a heads-up of the problem, and the software giant said today that a bug patch would be up on its Web site within 24 hours.

Microsoft's Unangst said users can configure IE 4.0's Security Zones to offer protection against the bug by disabling scripting for unfamiliar sites. From the View menu, choose "Options," then the "Security" tab. Select "restricted sites zone." Then, click on "Custom," then "Setting." Under the "Scripting" option list, choose to disable "Active Scripting." Users can add any unfamiliar sites to this zone if they desire.

Administrators can also use Security Zones to prevent this from occurring on their intranet, he added.

Though users are protected, however, important functions are lost and many Web offerings are not accessible anymore, C't editors pointed out.

Although the bug patch wasn't up early Friday, a Microsoft spokesperson insisted it would be posted within the announced 24-hour time period.